Closed
Bug 412543
Opened 17 years ago
Closed 15 years ago
"ASSERTION: null frame is not allowed" and abort [@ IsPercentageAware] with :first-letter, moz-column (again)
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:dupe 429969])
Crash Data
Attachments
(1 file)
231 bytes,
text/html
|
Details |
This bug is similar to the recently-fixed bug 408493 in several ways: both testcases use -moz-column and :first-letter, and both result in the same assertion and abort. The testcase is probably font-dependent :( I don't know why I'm having a hard time switching the testcase to a more predictable font or why some of the characters have to be punctuation rather than letters.
Reporter | ||
Comment 1•16 years ago
|
||
WFM, crashtest pushed.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → WORKSFORME
Comment 2•15 years ago
|
||
layout/generic/crashtests/412543-1.html 1.9.0 !exploitable report PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!IsPercentageAware
Group: core-security
Status: RESOLVED → REOPENED
Flags: blocking1.9.0.11?
OS: Mac OS X → Windows XP
Resolution: WORKSFORME → ---
Comment 3•15 years ago
|
||
So.... this is still WFM on trunk, right?
Comment 4•15 years ago
|
||
as far as I know at this point. sorry, i meant to change the version when i repurposed it for 1.9.0. It is an enabled crash test on the trunk and would have been flagged there if it was failing at least in opt builds. I'll double check 1.9.1 and 1.9.2 next. My concern is this is a public crash test which could be mined for exploitable crashes on older branches.
Version: Trunk → 1.9.0 Branch
Comment 5•15 years ago
|
||
In a debug build this is a reliable and unexploitable null deref as described in the summary. In opt it's less clear, I consistently get the following stack which seems to be crashing in a strange spot: bp-7a2e0a79-f088-44a7-b2ca-ea13d2090504 bp-40981db9-790e-4b0f-837c-a29552090504
Status: REOPENED → NEW
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12?
Flags: blocking1.9.0.11?
Whiteboard: [sg:investigate]
Comment 6•15 years ago
|
||
qawanted: when did this crash "go away" on the trunk? What are potential fixing bugs?
Keywords: qawanted
Whiteboard: [sg:investigate] → [sg:investigate] fix-window-wanted
Updated•15 years ago
|
Flags: blocking1.9.0.12? → blocking1.9.0.12+
Comment 7•15 years ago
|
||
I see a gression range between 2008-07-02 and 2008-07-03 on trunk http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-07-02+02%3A00&enddate=2008-07-03+02%3A00, which suggests bug 399941. That was a largish patch which changed behaviour in a number of cases. Do we want to take the whole thing on 1.9.0 or try to find a subset of the patch which will prevent the crash?
Comment 8•15 years ago
|
||
There is also the possibility that the change in first-letter behaviour caused by 399941 masks the bug on trunk rather than solving it.
Comment 9•15 years ago
|
||
We don't really want all of bug 399941 on the branch, is it possible to come up with a smallish wallpaper patch? Following up to find a targeted fix might help us determine whether the problem is just masked or fixed on trunk, because if it's just masked there might be another way to expose it.
Keywords: qawanted
Whiteboard: [sg:investigate] fix-window-wanted → [sg:investigate]
Comment 10•15 years ago
|
||
I just updated my branch tree to start working on this and the bug seems to have become WORKSFORME. Can any one else confirm? Maybe bug 429968 fixed it?
Comment 11•15 years ago
|
||
Apparently so -- On WinXP I crash in an older 3.0.x but not in 3.0.11 beta.
Depends on: 429968
Flags: blocking1.9.0.12+
Keywords: fixed1.9.0.11
Whiteboard: [sg:investigate] → [sg:dupe 429969]
Comment 12•15 years ago
|
||
Checked the crashtest in to 1.9.0 and reresolving.
Status: NEW → RESOLVED
Closed: 16 years ago → 15 years ago
Resolution: --- → WORKSFORME
Updated•15 years ago
|
Flags: wanted1.9.0.x+
Updated•15 years ago
|
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x-
Updated•15 years ago
|
Group: core-security
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ IsPercentageAware]
You need to log in
before you can comment on or make changes to this bug.
Description
•